Microsoft Removal Solutions

In FY 2019, the U.S. Government is removing the Federal Common Policy Certification Authority (CA) root certificate from the Microsoft certificate store (also called a trust store). This change will affect all federal agencies and may have an impact on the following services:

Personal Identity Verification (PIV) credential authentication to the government networks

To mitigate any impact this change may have on agency networks and applications, you will need to manually retrieve the FCPCA (i.e., COMMON) root certificate (sometimes also called the U.S. Government root CA certificate), import this certificate into agency enterprise certificate stores, and ensure that this change is propagated throughout the networks.

The root certificate is available immediately and will remain unchanged. Please follow one of the options under Solutions to mitigate negative impacts.

All agencies are encouraged to complete this action as soon as possible.

Solutions

To limit the impact to your agency, you will need to redistribute the Federal Common Policy CA (FCPCA) (i.e., COMMON) root certificate as a trusted root certificate to all government-furnished Windows workstations and devices.

Assign the file: for Create in site, select site name, and for Create in domain, select domain name. Click Okay.

From the left side panel, click Analyses to see a list of imported analysis files.

Click Federal Common Policy CA Redistribution Detection (i.e., FPKIRootDetection.bes) and click the Results tab to see the redistribution analysis. If the analysis was not activated by default, right-click the file and then click Activate Globally.

For each workstation or device listed, “Has COMMON Been Redistributed?” should say True. If False, you’ll need to investigate the cause of the failure. If you can’t find a cause, please contact us at fpki@gsa.gov.

Use Microsoft Certificate Manager

Go to Trusted Root Certification Authorities -> Certificates. To see whether COMMON was successfully redistributed, look for Federal Common Policy CA shown with Intended Purposes of ALL and a Friendly Name of None, as shown here:

Note: You may see more than one copy of COMMON. For example, the screenshot above shows 3 entries for COMMON:

The first entry (“dashed” border) is from Microsoft’s Certificate Trust List (CTL) (i.e., certificate store). Microsoft-distributed copies show multiple Intended Purposes values and a Friendly Name of U.S. Government Common Policy.

The remaining two entries are examples of enterprise-distributed copies. Enterprise-distributed copies show Intended Purposes of ALL and a Friendly Name of None.

Frequently Asked Questions

Where can I get the DHS Federal Network Resilience (FNR) Webinar slides?

I’m still not sure I get it. Can you explain this change to me in a different way?

Current State: Microsoft distributes the Federal Common Policy CA (FCPCA) (i.e., COMMON) root certificate from its certificate store to all Microsoft workstations and devices. This means that Microsoft trusts COMMON as a known root certification authority. Because Microsoft trusts COMMON, it trusts all Federal PKI CA-issued certificates because they validate to COMMON.

Future State: When COMMON is removed from Microsoft’s certificate store, Microsoft will not trust COMMON or any Federal PKI CA-issued certificates. If an agency has not redistributed COMMON by this time, users could experience authentication errors and other issues. You can prevent errors and issues by redistributing COMMON as soon as possible.

What happens if I don’t redistribute COMMON?

1. (High Impact) Authentication failures:

Workstations

Websites

Applications (internal and cross-agency)

Virtual Private Networks (VPNs)

2. (Medium Impact) Error fatigue:

Unexpected application errors and system behavior for legacy and government-off-the-shelf (GOTS) products

3. (Low Impact) Digital-signature validation failures:

Email

Documents and files (e.g., Microsoft Word)

What kinds of errors could I see?

Sample Chrome error when a user navigates to an intranet site whose SSL/TLS certificate doesn’t chainto a trusted root CA:

How can I verify that COMMON has been successfully redistributed to my workstation or device?

Can multiple copies of COMMON coexist in my workstation’s or device’s certificate store?

Yes! But don’t worry - an enterprise-distributed copy of COMMON won’t conflict with Microsoft’s distributed copy.

My agency gets PIV cards from [Issuer Name]. I won’t be affected by this change, right?

Incorrect. Your PIV credential issuer and how agency credentials are generated or issued will not be impacted by this change. The impact relates to COMMON’s removal from Microsoft’s trust stores and how to mitigate this impact by redistributing COMMON to federal enterprise workstations and devices. (See What happens if I don’t redistribute COMMON?.)

Will my PIV credentials break or need to be updated or replaced when this change occurs?

No. PIV credentials will not be affected by this change.

Do I need to redistribute COMMON to my “Bring Your Own Device” (BYOD) program device?

As a BYOD program device user, you’ll need to redistribute COMMON if you:

Use your PIV credential to log into intranet sites or VPNs

Validate PIV digital signatures (emails or documents)

Navigate to intranet pages whose SSL/TLS certificates chain to COMMON

Can I test the impact of Microsoft’s removal of COMMON?

It is possible to simulate the Microsoft certificate store’s future state. It is not recommended due to the potential for destructive outcomes. If you’re interested in learning more, please contact us at fpki@gsa.gov.